From 97ca02f0c5c90abe8bb2c0407090aef31d004c51 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Tue, 17 Jun 2014 11:19:05 +0200
Subject: [PATCH] defrag: fix reconstruction

This patch is fixing an issue in defragmentation code. The
insertion of a fragment in the list of fragments is done with
respect to the offset of the fragment. But the code was using
the original offset of the fragment and not the one of the
new reconstructed fragment (which can be different in the
case of overlapping segment where the left part is trimmed).

This case could lead to some evasion techniques by causing
Suricata to analyse a different payload.
---
 src/defrag.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/defrag.c b/src/defrag.c
index bd2c6e854b..f72435373b 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -697,7 +697,7 @@ insert:
 
     Frag *frag;
     TAILQ_FOREACH(frag, &tracker->frags, next) {
-        if (frag_offset < frag->offset)
+        if (new->offset < frag->offset)
             break;
     }
     if (frag == NULL) {